Interview with Thomas Fischer

well welcome to join me here on the on the interviews a channel that we're doing for besides Lisbon 2017 so talk about a bit about yourself but whatever why are you here so we're just discussing that you actually giving a talk for two hours so yeah so my name is Thomas I work for a company called digital gardening and one of my roles is to actually look at advance frets so look at what's essentially attacking data so we're very specialised in data protection right so we look at if you think about data leaks you know like then GDP are in Europe right now so what we're trying what we try to do is actually look at how customers

understand what kind of threats are happening to data and that can be insider or outsider and one of the challenges that we have is you can actually collect a lot of information when you're monitoring data right so when you're actually picking up looking at data you're potentially generating gigabytes and gigabytes of data so how do you handle that well a couple of years ago people started talking about threat hunting and you started seeing the marketing a literature so I delved into it to see how what what really what is it really about right and what what do you do when you're doing it when you call yourself a threat hunter so the presentation is sitting this afternoon

is all about that it's like my story of how I understand fret hunting but I also noticed some things that just don't work for me that we could do better today so just such as reliance on too much machine right to reliance on people are talking about oh we need machine you know a lot of these vendors are talking about weight you need machine learning you need AI to do to help you to do the phret hunting you're all this machine learning like but you know there's nothing better than a pair of eyes attached to a brain so when you look at it it's like what are we actually missing right because you've got all of

when you think about what's going on and you're looking at insert response right because this is this is an extension of in-service but that's essentially it's a means to actually start or insert response event and then the forensics work that you need to do so it's a means of detecting something but so the the idea is that we're so focused on triggering an innocent response based on an alert based on an event that we know or we use things like mitre attack or use some of the all these FBI notices or you know miss notices or any certain notices and things like know latest attacks that what are we actually missing though you know right because you're triggering on

something that you know what about all the unknowns right we've been talking about on the unknown unknowns for so many years so how do you actually find them right and one of the founding principles is you need to understand your environment are you know to understand your infrastructure what's happening and what are the things that we don't do very well in security and there's a lot of people that are trying to change that I'm one of them but preachers that we need to think about the business rather than security so we need to be more business aware and more business process aware security I don't know if you were lining talks last night but one of the guys was talking about

security you know being business aware or security you know that's something that we need to focus more of our attention on because businesses change they adapt you have you know we've been talking about this for years as well that the current generation is coming into work it's the workforce and that current generation is enabled I mean I tell ya right now Feist and Abel and everything so they're bringing in bring your own device you know all that kind of stuff and they have expectations on what they want to do with IT and what we're systems right and they expect to have all of these applications under hand yeah right they're doing things that a lot of businesses are trying to

adapt with an alarming rate so it security kind of gets as usual but as a second fourth right so you kind of think so so you need to we need to change that attitude right we need to think how do we do security in the sense that we become more business aware well then putting that into kind of perspective you have kind of two ways right we have the security well on explaining security to the judean for sec professionals and the explained security to consumers or to the other to users yeah and that's kind of two different paths right because um at the end it's about someone once told that the the weakest link in insecurity is

actually the human being right it's not it's not computed it's other yes three yeah yeah exactly so it's the the guy behind well between the chair and the computer so um but bottom line as you explained so there's a lot of we bring in new devices to companies we expect things to work as they do one on normal life your applications with everything related and your security usually tries it's not it's not a ahead of things you don't usually try to patch yeah those kind of activities reactive so we know active so we need to be more proactive regarding security yeah and people in the ways so this isn't really part of the talk this afternoon but it's

something but I also try to talk to people about and and I talk to a lot about a lot of potentially you yes some of the customers I talk to and things like that it's about being to become that more proactive you need to understand the business you know that we going back to that we need to understand the business directions you need to understand the business workflows and you need to understand what's driving the business right why the business might change direction why things change why they need adapt new things so if you're if you understand what is a normal days of activity you can start to detect the anomalies right so batching the

processes and workflows by yeah yeah essentially yeah you're looking at building something that's not technology based but more I'm just you know event or correlation based right so if if a business is driving towards moving to office 365 hide oh how do I adapt my processes and procedures and potentially tools at the other day but how do I adapt that to be to be more secure and not impede the business and know you either need to do you also mentioned about the AI and machine learning related to security is that is something that we we should expect in the future or you think it's probably gonna we're gonna start I we saw it was there's a

big been a big focus this year and I mean I don't know if you if you've been if you went the black hat this year but she wears a black hat a lot of the little startup type activities that were going on they were all talking about machinery and they were all focused on doing you know that machine learning aspect it depends on the way you define machine learning so I don't know if you know Alex pins I don't know so if you thought Alex I know Alex pretty well too and if you talk to Alex you know it's it's not rich machine learning isn't that complicated right it's about you know you have inputs and you want an output so you

train training you don't you train your engine to produce that output we're we're collecting more and more events right we keep adding as a security professional so we keep adding tools because we have that next-generation threat you have that next generation thing and so there's a next generation tool to help you with that lecture but you're generating data and you're not really using it right doing understand what's going on so we have that business workflow situation so let's gently generate a set of events a set of events which you understand and identify and you can train your machine learning to actually say okay these are typical normal events so here's something that I want you to weed out of all of all of

the noise and I'm seeing and all of the information but I'm seeing so that you can actually take a condensed view of your information and highlight what's outside about the scope right yeah what's really important exactly and you can start to build trends the problem I have right now is that I've looked at yeah some of these quote unquote analytics AI machine learning solutions and most of them are just basically they're um filters now they're trend there trends okay the calculated trends so you're basically trending your data hmm that's useless because as an attacker I could just hide and when you know it's like it's really simple I so I mean I saw one because of that data

protection aspect that we do there was one of those trying to pitch us on oh yeah we can tell you when you use as an emailing the typical email ratio so we can just we can highlight when somebody's trying to exfiltrate data on a meet via email and I'm like yeah but we do that today how do you do that day well it's it's a trend right I mean the user comes in nine o'clock in the morning he turns on his outlook client and I look at the email gets downloaded he responds to the Mon droit in his emails he does some work he might respond once who emails during the day lunch time he goes out comes back

there's another email Fleur and about the end of the day there's very little email so we don't run it that's like yeah but we can do it better I'll tell you okay this here some data do it better so I I literally I mean I showed them my charts with basic yeah statistical analysis versus their machine learning charts and it was like a one to one match the Sun bit so basically you're asking me to pay a crapload of money to get a statistical engine nobody it's math and this is a way if you know alex is like when people tell you it's math just walk away yeah it's that's why I come back to my

you know in my talk I talk about there's nothing better than a yeah pair of wires attached to a human brain because the human brain is fantastic you can you know correlate things exactly in a different manner than any system will ever be able to yeah because it is also the further picture and I know that human behavior right so I just drain this so you're still you you one of their noses as well from the besides London right correct and you're here to that besides listening for the first time is that it yeah this is my first time right so how do you compare both or can you compare or is some now I took so

I you know I've I directly go to be sighs Las Vegas I've run besides London I really I went to besides I'm Suzanne this year it was the first time I've been twice - besides Athens besides the end as well I got been to a few times it's all different because although we're you know we're quote-unquote global community each I think each country has its own specific surface cities and people are slightly different in each country and you know I've grown up all over the world so I actually I mean I'm originally French for example and I've been all I've lived everywhere village I think yeah people have different ways of addressing the problem right they have different

method and it's nice to be kind of in move around these different communities yeah pockets of community because you learned things you know see how people are different in the way that they that they committee that they network together I also like the fact that's you know like besides Lisbon there's a smaller it's smaller right so I mean we're still is yeah it's we're running at 900 plus yeah yeah but you know what yeah and plus the symphysis so yeah it's I mean we're like third or fourth biggest I mean in the you know I know I'd I stopped going to me for a second because there's a lot of noise around but it's it's usually fun

to meet everyone there and to see everyone there yeah it is I mean it's I mean and that's why a lot of people you know they say they're going to enforce a but they actually come and see us I mean it's I like the smaller I like this one of the aspects of some of these you know we don't know these signs because you can you have more opportunity to network it's different I wouldn't compare I mean it's completely different I mean everybody has their way of doing things that's what that's quite kind of like about b-sides right it's like although it's like it's become a global brand and people recognize it as you know a security conference yeah a

small security conference community-driven security conference each one has its own specialities its own peculiarities its know are you enduring Lisbon sunny weather I have some I have some bigger ones somewhere I think you know I was like alone I like this morning he was talking about you could you could almost put Lotus Notes or whatever on the I literally loaded apple the Apple the Apple operating system of I think it was 10 or 15 of these things on my Apple - I mean that you know it's like I get in this industry for a long time and you're sitting there you're like yeah this is well the first IBM ps/2 is changing this while the RS loaded

I know I had in one of those excellent thank you very much for coming cute and um well full of see you in to be sadder Linden yeah that's um bye thanks